I have Perl code, which uses a library that in turn uses openssl for HTTPS connections. I have been trying to use Wireshark to diagnose this, but I have yet to find a way to have it tell me what steps in the SSL handshaking are happening at a given time (client hello, server hello, &c.). Thus, I am having trouble seeing whether the problem is in my client not doing something right or the server not doing something right. I have not yet figured out how to have it export everything in a capture file in plain text so that I could copy/paste it in a note like this so you could see for yourself what is happening.
I did get openssl s_client to connect properly, and here is the output from that (sanitized of the server operator's ID): ted@linux-jp04:~/Work/Projects/FirstData> openssl s_client -CAfile server-test.pem -cert client_test.pem -key client_test.key -connect n.n.n.n:8443 CONNECTED(00000003) depth=1 C = LV, ST = Latvia, L = Riga, O = xxxxxxxxxxxxxxxxxx, CN = server-test, emailAddress = webmas...@xxxxxxxxxxxxxxxxxx.xxx verify return:1 depth=0 C = LV, O = FDL, CN = lv-rtps-proxy-test.ne.1dc.com verify return:1 --- Certificate chain 0 s:/C=LV/O=FDL/CN=lv-rtps-proxy-test.ne.1dc.com i:/C=LV/ST=Latvia/L=Riga/O=xxxxxxxxxxxxxxxxxx/CN=server-test/emailAddress=webmas...@xxxxxxxxxxxxxxxxxx.xxx 1 s:/C=LV/ST=Latvia/L=Riga/O=xxxxxxxxxxxxxxxxxx/CN=server-test/emailAddress=webmas...@xxxxxxxxxxxxxxxxxx.xxx i:/C=LV/ST=Latvia/L=Riga/O=xxxxxxxxxxxxxxxxxx/CN=server-test/emailAddress=webmas...@xxxxxxxxxxxxxxxxxx.xxx --- Server certificate -----BEGIN CERTIFICATE----- DELETED -----END CERTIFICATE----- subject=/C=LV/O=FDL/CN=lv-rtps-proxy-test.ne.1dc.com issuer=/C=LV/ST=Latvia/L=Riga/O=xxxxxxxxxxxxxxxxxx/CN=server-test/emailAddress=webmas...@xxxxxxxxxxxxxxxxxx.xxx --- Acceptable client certificate CA names /C=LV/ST=Latvia/L=Riga/O=xxxxxxxxxxxxxxxxxx/CN=server-test/emailAddress=webmas...@xxxxxxxxxxxxxxxxxx.xxx /C=LV/O=FDL/CN=lv-rtps-proxy-test.ne.1dc.com --- SSL handshake has read 3690 bytes and written 3700 bytes --- New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : EDH-RSA-DES-CBC3-SHA Session-ID: 53E0DE54D7D7E928F177883E10447786C15133386DA3F0489796845673C70DEA Session-ID-ctx: Master-Key: DELETED Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1407245906 Timeout : 300 (sec) Verify return code: 0 (ok) --- closed ted@linux-jp04:~/Work/Projects/FirstData> Now, here is the output I get from my Perl client (also sanitized): $url = https://n.n.n.n:8443/ $scheme = https $self->{ssl_set} = 0 $self->{ca_cert_dir} = . $self->{ca_cert_file} = server-test.pem $LWP::VERSION = 6.05 Setting cert dir and file if available $self->{ssl_set} = 1 DEBUG: .../IO/Socket/SSL.pm:2503: new ctx 26349088 DEBUG: .../IO/Socket/SSL.pm:526: socket not yet connected DEBUG: .../IO/Socket/SSL.pm:528: socket connected DEBUG: .../IO/Socket/SSL.pm:550: ssl handshake not started DEBUG: .../IO/Socket/SSL.pm:586: not using SNI because hostname is unknown DEBUG: .../IO/Socket/SSL.pm:634: set socket to non-blocking to enforce timeout=180 DEBUG: .../IO/Socket/SSL.pm:647: Net::SSLeay::connect -> -1 DEBUG: .../IO/Socket/SSL.pm:657: ssl handshake in progress DEBUG: .../IO/Socket/SSL.pm:667: waiting for fd to become ready: SSL wants a read first DEBUG: .../IO/Socket/SSL.pm:687: socket ready, retrying connect DEBUG: .../IO/Socket/SSL.pm:647: Net::SSLeay::connect -> -1 DEBUG: .../IO/Socket/SSL.pm:657: ssl handshake in progress DEBUG: .../IO/Socket/SSL.pm:667: waiting for fd to become ready: SSL wants a read first DEBUG: .../IO/Socket/SSL.pm:687: socket ready, retrying connect DEBUG: .../IO/Socket/SSL.pm:647: Net::SSLeay::connect -> -1 DEBUG: .../IO/Socket/SSL.pm:657: ssl handshake in progress DEBUG: .../IO/Socket/SSL.pm:667: waiting for fd to become ready: SSL wants a read first DEBUG: .../IO/Socket/SSL.pm:687: socket ready, retrying connect DEBUG: .../IO/Socket/SSL.pm:2384: ok=1 cert=26317968 DEBUG: .../IO/Socket/SSL.pm:2384: ok=1 cert=26323136 DEBUG: .../IO/Socket/SSL.pm:1539: scheme=www cert=26323136 DEBUG: .../IO/Socket/SSL.pm:1549: identity=n.n.n.n cn=lv-rtps-proxy-test.ne.1dc.com alt= DEBUG: .../IO/Socket/SSL.pm:647: Net::SSLeay::connect -> -1 DEBUG: .../IO/Socket/SSL.pm:1757: SSL connect attempt failed DEBUG: .../IO/Socket/SSL.pm:653: fatal SSL error: SSL connect attempt failed error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed DEBUG: .../IO/Socket/SSL.pm:2537: free ctx 26349088 open=26349088 DEBUG: .../IO/Socket/SSL.pm:2542: free ctx 26349088 callback DEBUG: .../IO/Socket/SSL.pm:2549: OK free ctx 26349088 2014/08/05 10:03:05> [http client] communication error: 500 Can't connect to n.n.n.n:8443 (certificate verify failed) 500 Can't connect to n.n.n.n:8443 (certificate verify failed) ted@linux-jp04:~/Work/Projects/FirstData> The error "SSL routines:SSL3_GET_SERVER_CERTIFICATE" seems self explanatory, but what I can't figure out is why communication happens properly when I use openssl s_client, with the CA authority cert and the client side cert and key, but I can't successfully get the server cert, even though my perl code provides the same information, ultimately to openssl library code. I can post my Perl code, if there is someone in this forum who knows Perl, and especially the libraries used to handle HTTPS communications (and how to get better debugging information from them - I have IO::SOCKET::SSL DEBUG variable set to 3, which is the highest debug level available, providing the most information, available, according to the docs). I would appreciate advice on the best way of using Wireshark to provide useful, actionable information; or advice on how to provide the Wireshark logs to you in a way that is useful to you in helping me debug this. I have the CA root cert, used to sign both the server's cert and the client cert, and obviously, I have both the client's key and cert, if any of these files can be used to help Wireshark provide more useful information; but I have no idea how to tell Wireshark to use them, if in fact using them would be useful (I started working with Wireshark this past Friday). Thanks Ted -- R.E.(Ted) Byers, Ph.D.,Ed.D. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org